Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-4310

Certificate profile key length restriction ignored when creating CA


    • Issue discovered during:


      When creating a new CA with a customer certificate profile which restricts the key length to a specific size, this restriction is completely ignored. I.e. if the key length in the profile was set to only 4096, if the user provides a key of length 2048, EJBCA will still issue a certificate.

      The bug happens when using the "CA Functions" -> "Certification Authorities" -> "Add CA", just to emphasize (I don't think end entity sub CAs are getting affected).

      Reproduction steps:

      1. Create new certificate profile, based on "ROOTCA", calling it "TestRootCA".

      2. Edit the "TestRootCA" certificate profile, setting the available key lengths to "4096".

      3. Create a crypto token called "TestRootCA" (soft token will do).

      4. Create signing RSA key, length 2048, in crypto token TestRootCA with named "signKey", 1024 RSA key named "testKey", and 2048 RSA key named "defaultKey".

      5. Create a new CA, using the "TestRootCA" certificate profile and crypto token "TestRootCA" (signKey as signing key, defaultKey as default key, and testKey as test key).

      Expected results:

      1. An error is shown to the user, stating that the key length for signing key used for CA does not comply with certificate profile restrictions.

      2. CA is not created.

      Actual results:

      1. CA is created.

      2. Resulting CA has a self-signed certificate with 2048 public key.

      Additional notes:

      The default software token that gets created will sport 2048 RSA keys too, as a side-note. I have also been able to renew these root CAs with differing key sizes (compared to what is specified in profile).

      In a way, the certificate profile should serve as a bit of a parachute in case an operator creates wrong key size, and this behaviour eliminates this useful restriction. That is why I have set the bug to critical (i.e. don't need it immediately, but it's a bit of an ugly bug).


          Issue Links



              johan Johan Eklund
              branko Branko Majic (Inactive)
              Verified by:
              Mike Agrenius Kushner
              0 Vote for this issue
              3 Start watching this issue